- block: - name: set connection information for all tasks set_fact: aws_connection_info: &aws_connection_info aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" security_token: "{{ security_token }}" region: "{{ aws_region }}" no_log: yes - name: create VPC ec2_vpc_net: cidr_block: 10.228.228.0/22 name: "{{ resource_prefix }}_vpc" state: present <<: *aws_connection_info register: vpc - name: create public subnet ec2_vpc_subnet: cidr: "{{ item.cidr }}" az: "{{ aws_region}}{{ item.az }}" vpc_id: "{{ vpc.vpc.id }}" state: present tags: Public: "{{ item.public|string }}" Name: "{{ item.public|ternary('public', 'private') }}-{{ item.az }}" <<: *aws_connection_info with_items: - cidr: 10.228.228.0/24 az: "a" public: "True" - cidr: 10.228.229.0/24 az: "b" public: "True" - cidr: 10.228.230.0/24 az: "a" public: "False" - cidr: 10.228.231.0/24 az: "b" public: "False" register: subnets - ec2_vpc_subnet_facts: filters: vpc-id: "{{ vpc.vpc.id }}" <<: *aws_connection_info register: vpc_subnets - name: create IGW ec2_vpc_igw: vpc_id: "{{ vpc.vpc.id }}" <<: *aws_connection_info - name: create NAT GW ec2_vpc_nat_gateway: if_exist_do_not_create: yes wait: yes subnet_id: "{{ subnets.results[0].subnet.id }}" <<: *aws_connection_info register: nat_gateway - name: create public route table ec2_vpc_route_table: vpc_id: "{{ vpc.vpc.id }}" tags: Public: "true" Name: "Public route table" <<: *aws_connection_info register: create_public_table - name: assert that public route table has an id assert: that: - create_public_table.changed - "create_public_table.route_table.id.startswith('rtb-')" - "'Public' in create_public_table.route_table.tags and create_public_table.route_table.tags['Public'] == 'true'" - name: recreate public route table ec2_vpc_route_table: vpc_id: "{{ vpc.vpc.id }}" tags: Public: "true" Name: "Public route table" <<: *aws_connection_info register: recreate_public_route_table - name: assert that public route table did not change assert: that: - not recreate_public_route_table.changed - name: add a route to public route table ec2_vpc_route_table: vpc_id: "{{ vpc.vpc.id }}" tags: Public: "true" Name: "Public route table" routes: - dest: 0.0.0.0/0 gateway_id: igw <<: *aws_connection_info register: add_routes - name: add subnets to public route table ec2_vpc_route_table: vpc_id: "{{ vpc.vpc.id }}" tags: Public: "true" Name: "Public route table" routes: - dest: 0.0.0.0/0 gateway_id: igw subnets: "{{ vpc_subnets|json_query('subnets[?tags.Public == `True`].id') }}" <<: *aws_connection_info register: add_subnets - name: add a route to public route table ec2_vpc_route_table: vpc_id: "{{ vpc.vpc.id }}" tags: Public: "true" Name: "Public route table" routes: - dest: 0.0.0.0/0 gateway_id: igw <<: *aws_connection_info register: add_routes - name: rerun with purge_routes set to false ec2_vpc_route_table: vpc_id: "{{ vpc.vpc.id }}" tags: Public: "true" Name: "Public route table" purge_routes: no subnets: "{{ vpc_subnets|json_query('subnets[?tags.Public == `True`].id') }}" <<: *aws_connection_info register: no_purge_routes - name: assert route table still has routes assert: that: - not no_purge_routes.changed - no_purge_routes.route_table.routes|length == 2 # FIXME: - no_purge_routes.route_table.associations|length == 2 - name: rerun with purge_subnets set to false ec2_vpc_route_table: vpc_id: "{{ vpc.vpc.id }}" tags: Public: "true" Name: "Public route table" purge_subnets: no routes: - dest: 0.0.0.0/0 <<: *aws_connection_info register: no_purge_subnets - name: assert route table still has subnets assert: that: # FIXME: - not no_purge_subnets.changed - no_purge_subnets.route_table.routes|length == 2 # FIXME: - no_purge_subnets.route_table.associations|length == 2 # FIXME: purge_tags doesn't exist yet # # - name: rerun with purge_tags not set (implicitly false) # ec2_vpc_route_table: # vpc_id: "{{ vpc.vpc.id }}" # routes: # - dest: 0.0.0.0/0 # subnets: "{{ vpc_subnets|json_query('subnets[?tags.Public == `True`].id') }}" # <<: *aws_connection_info # register: no_purge_tags # # - name: assert route table still has tags # assert: # that: # - not no_purge_tags.changed # - "'Public' in no_purge_tags.route_table.tags and no_purge_tags.route_table.tags['Public'] == 'true'" - name: purge subnets ec2_vpc_route_table: vpc_id: "{{ vpc.vpc.id }}" routes: - dest: 0.0.0.0/0 tags: Public: "true" Name: "Public route table" <<: *aws_connection_info register: purge_subnets # FIXME: this doesn't currently work but with no associations present difficult to see why not # - name: assert purge subnets worked # assert: # that: # - purge_subnets.changed # # FIXME: - purge_subnets.route_table.associations|length == 0 # - purge_subnets.route_table.id == create_public_table.route_table.id - name: purge routes ec2_vpc_route_table: vpc_id: "{{ vpc.vpc.id }}" tags: Public: "true" Name: "Public route table" <<: *aws_connection_info register: purge_routes - name: assert purge routes worked assert: that: - purge_routes.changed # FIXME: purge_routes does work but the result is not up to date and returns # the route - a wait period might help # - purge_routes.route_table.routes|length == 1 - purge_routes.route_table.id == create_public_table.route_table.id - name: update tags ec2_vpc_route_table: vpc_id: "{{ vpc.vpc.id }}" route_table_id: "{{ create_public_table.route_table.id }}" lookup: id # FIXME: purge_tags: yes tags: Updated: new_tag <<: *aws_connection_info register: update_tags - name: assert purge tags worked assert: that: - update_tags.changed - "'Updated' in update_tags.route_table.tags and update_tags.route_table.tags['Updated'] == 'new_tag'" # FIXME: - "'Public' not in update_tags.route_table.tags" - name: create private route table ec2_vpc_route_table: vpc_id: "{{ vpc.vpc.id }}" tags: Public: no Name: private route table routes: - gateway_id: "{{ nat_gateway.nat_gateway_id }}" dest: 0.0.0.0/0 subnets: "{{ vpc_subnets|json_query('subnets[?tags.Public == `False`].id') }}" <<: *aws_connection_info register: create_private_table - name: assert creating private route table worked assert: that: - create_private_table.changed - create_private_table.route_table.id != create_public_table.route_table.id - "'Public' in create_private_table.route_table.tags" - name: destroy public route table ec2_vpc_route_table: route_table_id: "{{ create_public_table.route_table.id }}" lookup: id vpc_id: "{{ vpc.vpc.id }}" # FIXME: why is this required? state: absent <<: *aws_connection_info register: destroy_table - name: assert destroy table worked assert: that: - destroy_table.changed # FIXME: this currently throws an exception # - name: redestroy public route table # ec2_vpc_route_table: # route_table_id: "{{ create_public_table.route_table.id }}" # lookup: id # state: absent # <<: *aws_connection_info # register: redestroy_table # # - name: assert redestroy table worked # assert: # that: # - not redestroy_table.changed # FIXME: After boto3 port, test updating NAT gateway # # - name: destroy NAT GW # ec2_vpc_nat_gateway: # vpc_id: "{{ vpc.vpc.id }}" # state: absent # wait: yes # release_eip: yes # <<: *aws_connection_info # register: nat_gateway # # - name: create NAT GW # ec2_vpc_nat_gateway: # vpc_id: "{{ vpc.vpc.id }}" # if_exist_do_not_create: yes # <<: *aws_connection_info # register: nat_gateway always: ############################################################################# # TEAR DOWN STARTS HERE ############################################################################# - name: destroy route tables ec2_vpc_route_table: route_table_id: "{{ item.route_table.id }}" vpc_id: "{{ vpc.vpc.id }}" # FIXME: why is this required? lookup: id state: absent <<: *aws_connection_info with_items: - "{{ create_public_table|default() }}" - "{{ create_private_table|default() }}" when: item and not item.failed ignore_errors: yes - name: destroy NAT GW ec2_vpc_nat_gateway: state: absent wait: yes release_eip: yes subnet_id: "{{ subnets.results[0].subnet.id }}" nat_gateway_id: "{{ nat_gateway.nat_gateway_id }}" <<: *aws_connection_info ignore_errors: yes - name: destroy IGW ec2_vpc_igw: vpc_id: "{{ vpc.vpc.id }}" state: absent <<: *aws_connection_info ignore_errors: yes - name: destroy subnets ec2_vpc_subnet: cidr: "{{ item.cidr }}" vpc_id: "{{ vpc.vpc.id }}" state: absent <<: *aws_connection_info with_items: - cidr: 10.228.228.0/24 - cidr: 10.228.229.0/24 - cidr: 10.228.230.0/24 - cidr: 10.228.231.0/24 ignore_errors: yes # FIXME: ec2_vpc_nat_gateway should take care of this, but clearly doesn't always - name: ensure EIP is actually released ec2_eip: state: absent device_id: "{{ item.network_interface_id }}" in_vpc: yes <<: *aws_connection_info with_items: "{{ nat_gateway.nat_gateway_addresses }}" ignore_errors: yes - name: destroy VPC ec2_vpc_net: cidr_block: 10.228.228.0/22 name: "{{ resource_prefix }}_vpc" state: absent <<: *aws_connection_info ignore_errors: yes